Highlighted

ColdFusion 2018 Server Auto Lockdown Tool failed

Engaged ,
Mar 28, 2019

Copy link to clipboard

Copied

I have created a new Windows Server 2016 and installed ColdFusion 2018 on it.  Everything was working. Next I started going through the lockdown guide.  I got to the part about running the auto lockdown tool (section 2.6).  The tool ran fine but when I was reviewing folder permissions and other IIS settings I was not seeing everything that it should have done.  After carefully looking through the log file I found that it encountered an error and then started rolling back changes.  Now I have an unstable server with a mix of settings.

The log file seems to indicate that it failed when attempting to change the logon user for the additional ColdFusion services.  Well I did not install the additional services as we don't need them.  I guess the tool is not smart enough to bypass that and so it failed.  Why?

Here is an excerpt from the log file:

2019-03-28 12:22:23 INFO  - Folder permissions changed!

2019-03-28 12:22:23 INFO  - Successfully setup file system permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Setting up registry permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Now starting to change registry permissions!

2019-03-28 12:22:24 INFO  - ColdFusion version is: 2018

2019-03-28 12:22:24 INFO  - Now getting all registry keys!

2019-03-28 12:22:24 INFO  - All registry keys to change received!

2019-03-28 12:22:24 INFO  - Registry permissions were successfully changed!

2019-03-28 12:22:24 INFO  - Successfully changed the registry permissions for ColdFusion!

2019-03-28 12:22:24 INFO  - Changing logon users for ColdFusion services

2019-03-28 12:22:24 INFO  - Trying to change logon user for ColdFusion

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion2018Add-onServices

2019-03-28 12:22:25 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion 2018 Application Server

2019-03-28 12:22:26 INFO  - [SC] ChangeServiceConfig SUCCESS

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Agent

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Server

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Failed to change the logon users for ColdFusion services!

2019-03-28 12:22:26 INFO  - Rolling back the changes because of the Lockdown failure

2019-03-28 12:22:26 INFO  - Reverting back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - SYSTEM\CurrentControlSet\Services\ColdFusion 2018 Application Server key permissions were changed.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  - Successfully reverted back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  - Reverting back the ColdFusion file system permissions to its original state

Why did it fail like this? Are the additional services required just to run this lock down tool?  That doesn't make a lot of sense if you don't need them.

Views

972

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion 2018 Server Auto Lockdown Tool failed

Engaged ,
Mar 28, 2019

Copy link to clipboard

Copied

I have created a new Windows Server 2016 and installed ColdFusion 2018 on it.  Everything was working. Next I started going through the lockdown guide.  I got to the part about running the auto lockdown tool (section 2.6).  The tool ran fine but when I was reviewing folder permissions and other IIS settings I was not seeing everything that it should have done.  After carefully looking through the log file I found that it encountered an error and then started rolling back changes.  Now I have an unstable server with a mix of settings.

The log file seems to indicate that it failed when attempting to change the logon user for the additional ColdFusion services.  Well I did not install the additional services as we don't need them.  I guess the tool is not smart enough to bypass that and so it failed.  Why?

Here is an excerpt from the log file:

2019-03-28 12:22:23 INFO  - Folder permissions changed!

2019-03-28 12:22:23 INFO  - Successfully setup file system permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Setting up registry permissions for ColdFusion!

2019-03-28 12:22:23 INFO  - Now starting to change registry permissions!

2019-03-28 12:22:24 INFO  - ColdFusion version is: 2018

2019-03-28 12:22:24 INFO  - Now getting all registry keys!

2019-03-28 12:22:24 INFO  - All registry keys to change received!

2019-03-28 12:22:24 INFO  - Registry permissions were successfully changed!

2019-03-28 12:22:24 INFO  - Successfully changed the registry permissions for ColdFusion!

2019-03-28 12:22:24 INFO  - Changing logon users for ColdFusion services

2019-03-28 12:22:24 INFO  - Trying to change logon user for ColdFusion

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion2018Add-onServices

2019-03-28 12:22:25 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion 2018 Application Server

2019-03-28 12:22:26 INFO  - [SC] ChangeServiceConfig SUCCESS

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Agent

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Changing for: ColdFusion 2018 ODBC Server

2019-03-28 12:22:26 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

2019-03-28 12:22:26 INFO  - Failed to change the logon users for ColdFusion services!

2019-03-28 12:22:26 INFO  - Rolling back the changes because of the Lockdown failure

2019-03-28 12:22:26 INFO  - Reverting back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - SYSTEM\CurrentControlSet\Services\ColdFusion 2018 Application Server key permissions were changed.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  -

2019-03-28 12:22:28 INFO  - Registry key not found. Caught NullReferenceException: Object reference not set to an instance of an object.

2019-03-28 12:22:28 INFO  - Successfully reverted back the registry permissions changed during Lockdown

2019-03-28 12:22:28 INFO  - Reverting back the ColdFusion file system permissions to its original state

Why did it fail like this? Are the additional services required just to run this lock down tool?  That doesn't make a lot of sense if you don't need them.

Views

973

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 28, 2019 0
Adobe Community Professional ,
Mar 28, 2019

Copy link to clipboard

Copied

I would recommend checking the filesystem to see if the permissions have in fact been changed back. To be perfectly honest I'm a bit leery of the auto-lockdown tool, but part of that is simply that I'm well-versed in the manual lockdown process (thanks Pete Freitag for documenting it so well!)

If you don't have ODBC Agent and ODBC Service installed, there won't be any registry changes to be made, I believe.

Dave Watts, Eidolon LLC

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 28, 2019 0
Engaged ,
Mar 29, 2019

Copy link to clipboard

Copied

Agreed Dave.  I have always performed the steps manually and feel comfortable doing so (thanks to Pete).  The only reason I ran this tool is because Pete's latest lock down guide for CF 2018 recommends doing so. Believe me, my trust in Adobe's processes is not at the highest.

Anyway, to your other point, I was checking the filesystem permissions and that is what led me to realize that it did not work.  At least not fully,  The permissions that I know are required were missing.  And, yes, the fact that I did not install those additional services means there are no changes to be made in the registry or for the window's services.  That's my point, Adobe's own lock down process should recognize that those services are not required and be able to gracefully get passed updating of those items.  Right?

This is the point in the log file that I am referring to:

2019-03-28 12:22:25 INFO  - Changing for: ColdFusion2018Add-onServices

2019-03-28 12:22:25 INFO  - [SC] OpenService FAILED 1060:

The specified service does not exist as an installed service.

As you can see, it seems to recognize that the services are not installed.

2019-03-28 12:22:26 INFO  - Failed to change the logon users for ColdFusion services!

2019-03-28 12:22:26 INFO  - Rolling back the changes because of the Lockdown failure

2019-03-28 12:22:26 INFO  - Reverting back the registry permissions changed during Lockdown

But then why does it fail and start rolling changes back?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Mar 29, 2019 0
Engaged ,
Apr 02, 2019

Copy link to clipboard

Copied

Just to update this thread, I posted this same issue on the CFML Slack channel and Priyank from Adobe responded that his team was able to duplicate the issue with the latest lock down tool and he has submitted a bug ticket for it.

Here is Priyank's response from the Slack channel:

I logged a bug for this issue on Windows platform. I have asked team to look into the issue and if possible provide a fix. As a workaround, you can install the Add-on service, .NET service during ColdFusion installation and after that the Auto lockdown will work. It is checking these component and if it is finding NOT INSTALLED, it failed.

I tried searching for the bug that he mentioned to link from here but I could not find it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 02, 2019 1
Adobe Employee ,
Apr 02, 2019

Copy link to clipboard

Copied

It is an internal bug and I did not make it public. I will update the thread once it is fixed.

Thanks,

Priyank

Thanks,
Priyank Shrivastava

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 02, 2019 0
Adobe Community Professional ,
Apr 04, 2019

Copy link to clipboard

Copied

[Subscribe] 

/Charlie (server troubleshooter, carehart.org)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 04, 2019 0
DougCain LATEST
New Here ,
Jul 29, 2019

Copy link to clipboard

Copied

Any movement on this one as I have just come across it - seems silly you need to have unwanted services installed to lockdown a server

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Jul 29, 2019 0